Hm, this doesn't match the qmail schema one I found, it had SUB as well
as EQ.

In this case, sub is not an attribute that I would need. I did not take
it out of the schema that I found, but have no reason to put it back in.
The process for this field is: look up to see if the given address is
stored in either the mail or mailAlternateAddress field and return the
mailMessageStore to know where the maildirs are at. The local delivery
agent now takes the email and stores it in ${mailMessageStore}/new.
Therefore a partial match could be a disastereous thing. Someone long
before me probably took it out because of that.

Imagine a spammer forcing a message to @example.com, all the hard work to
steal email addresses would be useless since everyone would match that
address... ouch! Better to match only on the whole field and not the
substring.

Well, just because the schema has a rule for substring matching does not
mean that you have to index it via sub. ;) That is entirely up to you. It
just provides a method for doing so if you so choose.

One thing to consider doing, is to use run slapd with -d -1 and run your
query that isn't working. I've often found that this will tell me a lot
about what is happening (especially if the problem is ACL related).